NULL, FIN, AND XMAS SCANS
NULL, FIN, and xmas scans are similar to each other. The major advantage of using these scans for pentest is that many times they get past firewalls and IDS and can be really beneficial against Unix-based OS as all three of these scans do not work against Windows-based operating systems, because they send a reset packet regardless of whether the port is open or closed. The second disadvantage is that it cannot be exactly determined if the port is open or filtered. This leaves us to manually verify it with other scan types.
Source
192.168.0.8
Destination
192.168.0.7
192.168.0.8
Destination
192.168.0.7
A null scan is accomplished by sending no flags/bits inside the TCP header. If no response
comes, it means that the port is open; if a RST packet is received, it means that the port is closed or filtered.
Command:
nmap –sN <target Ip Address>
comes, it means that the port is open; if a RST packet is received, it means that the port is closed or filtered.
Command:
nmap –sN <target Ip Address>
FIN SCAN
Source
192.168.0.8
Destination
192.168.0.7
192.168.0.8
Destination
192.168.0.7
A FIN flag is used to close a currently open session. In a FIN scan the sender sends a FIN flag to the target machine: if no response comes from the target machine, it means that the port is open; if the target machine responds with a RST, it means that the port is closed.
Command:
nmap –sF <target Ip Address>
Command:
nmap –sF <target Ip Address>
XMAS SCAN
Source
192.168.0.8
Destination
192.168.0.7
192.168.0.8
Destination
192.168.0.7
The XMAS scan sends a combination of FIN, URG, and PUSH flags to the destination. It
lightens the packet just like a Christmas tree and that is why it is called an XMAS scan. It works just like the FIN and null scans. If there is no response, the port is open; if the target machine responds with a RST packet, the port is closed.
Command:
nmap –sX <target Ip Address>
lightens the packet just like a Christmas tree and that is why it is called an XMAS scan. It works just like the FIN and null scans. If there is no response, the port is open; if the target machine responds with a RST packet, the port is closed.
Command:
nmap –sX <target Ip Address>
TCP ACK SCAN
Source
69.240.103.51
Destination
68.46.234.161
69.240.103.51
Destination
68.46.234.161
The TCP ACK scan is not used for port scanning purposes. It is commonly used to determine the firewall and ACL rules (access list) and whether the firewall is able to keep track of the connections that are being made.
The way this works is that the source machine sends an acknowledge (ack) packet instead of a syn packet. If the firewall is stateful, it would know that the there was no SYN packet being sent and will not allow the packet to reach the destination.
Responses
If there is no response, this means that the firewall is stateful and it’s filtering your packets. If you receive a reset packet, it means that the packet reached the destination.
The capture from wireshark also gives a better insight into the TCP ACK scan.
Command:
nmap –sA <target Ip Address>
UDP PORT SCAN
UDP stands for “user datagram protocol”; it does not ensure the reliability of the communication and is not used for communication, where the data are very important to us. There are many ports that use UDP; the UDP port scan can be used to determine the common services that are listening upon UDP. Some of the popular UDP services are DHCP, SNMAP, and DNS.
The UDP port scan works by sending an empty UDP header; any kind of UDP response from
the target port would reveal that the port is open. No response would mean that either the port is open or it is filtered. A closed port is determined on the basis of ICMP error messages; if it responds with “ICMP Port unreachable error,” this would mean that the port is closed. Any other ICMP response means that the port is filtered.
Command:
nmap –sU <target Ip Address>
The UDP port scan works by sending an empty UDP header; any kind of UDP response from
the target port would reveal that the port is open. No response would mean that either the port is open or it is filtered. A closed port is determined on the basis of ICMP error messages; if it responds with “ICMP Port unreachable error,” this would mean that the port is closed. Any other ICMP response means that the port is filtered.
Command:
nmap –sU <target Ip Address>
No comments:
Post a Comment